Privacy business resource 8: Sending personal information overseas

The aim of this resource is to assist organisations to understand their obligations under the Australian Privacy Principles (APPs) when sending personal information overseas. This resource supplements, and should be read together with the full text of the APPs, section 16C of the Privacy Act 1988 (Privacy Act) and the Office of the Australian Information Commissioner’s (OAIC) APP guidelines.

Key points

The APPs that apply when sending personal information overseas partly depend on whether it is a ‘use’ or a ‘disclosure’ of the information.

Where it is a disclosure, the APP entity must take reasonable steps to ensure the overseas recipient complies with the APPs, and will remain accountable if the overseas recipient breaches the APPs (subject to exceptions).

Where it is a use, the APP entity may still be considered to 'hold' the personal information, even though the information is physically located overseas. For this reason, the entity must comply with the APPs that apply to an APP entity that holds personal information, and will be held accountable for a breach of those APPs if they are not complied with.

These obligations mean that, in practice, the steps that an APP entity takes and their accountability when sending personal information overseas can be similar regardless of whether the information is being used or disclosed.

For this reason, where it is unclear whether the personal information is being used or disclosed, the best approach is to take reasonable steps to ensure the APPs are complied with.

Background

The 13 APPs in Schedule 1 of the Privacy Act set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information. They apply to Australian and Norfolk Island Government agencies and many private sector organisations. These are referred to as APP entities.

The privacy protections that apply when sending personal information overseas reflect a central object of the Privacy Act — facilitating the free flow of information across national borders while ensuring that the privacy of individuals is respected (s 2A(f)). This recognises the global interdependence of today’s economy, underpinned by the flow of information, including personal information, across national borders. At the same time, cross-border transfers of personal information are known to be a source of significant community concern. The framework provided by the Privacy Act addresses the balance between this community concern and the need to send personal information overseas for legitimate business purposes.

The APPs do not prevent an APP entity from sending personal information overseas. However, APP entities will need to carefully consider steps that may need to be taken to comply with the APPs. This resource explores some key privacy concepts and issues that will assist entities to understand and comply with the APPs when sending personal information overseas.

How is an overseas ‘use’ of personal information distinguished from an overseas ‘disclosure’ of personal information?

Where an APP entity sends personal information overseas, the APPs that apply partly depend on whether this is taken to be a ‘use’ or a ‘disclosure’ of personal information.

The terms ‘use’ and ‘disclosure’ are not defined in the Privacy Act. The APP guidelines include the following guidance about these terms:

‘Use’ — generally, an APP entity uses personal information when it handles and manages that information within the entity’s effective control.

‘Disclosure’ — an APP entity discloses personal information when it makes it accessible or visible to others outside the entity and releases the subsequent handling of the personal information from its effective control.

The distinction between a ‘use’ and a ‘disclosure’ depends on the degree of control the APP entity has over the information after it is provided to the overseas recipient. Some different obligations apply depending on whether an entity ‘uses’ or ‘discloses’ personal information. The obligations that apply are discussed in more detail below. For further guidance on the meanings of ‘use’ and ‘disclosure’, see Chapter B (Key Concepts), APP guidelines. Chapter 8 (APP 8 — cross-border disclosure of personal information) of the APP guidelines contains further guidance and examples of where provision of information to an overseas contractor is a use or a disclosure.

However, the OAIC recognises that in some instances, it can be difficult to determine whether the information is being ‘used’, or whether it is being ‘disclosed’. In such cases, the practical effect of distinguishing a ‘use’ from a ‘disclosure’ should not be overstated. Whether an APP entity sends personal information to an overseas recipient as a 'use' or as a ‘disclosure’, it may still be held accountable for mishandling of that information by the overseas recipient. In practice, the steps that an APP entity takes and their accountability when sending personal information overseas can be similar regardless of whether the information is being used or disclosed. For this reason, where it is unclear whether the personal information is being used or disclosed, the best approach is to take reasonable steps to ensure the APP are complied with. An APP entity that sends personal information overseas may be liable if the personal information is mishandled.

How does the Privacy Act apply where an APP entity ‘discloses’ personal information overseas?

APP 8 and s 16C apply when an APP entity discloses personal information overseas. They do not apply where an entity retains such a degree of control over the information, that it is considered to be ‘using’ the information.

APP 8.1 provides that before an APP entity discloses personal information about an individual to an overseas recipient, the entity must take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. Where an entity discloses personal information to an overseas recipient, it is accountable for an act or practice of the overseas recipient that would breach the APPs (s 16C). However, there are exceptions to the requirement in APP 8.1 and to the accountability provision in s 16C.

For further guidance on APP 8 and s 16C, see Chapter 8 of the APP guidelines.

Other APPs that also apply when an APP entity discloses personal information overseas include:

APPs 1.4(f) and (g) requiring certain information to be included in an entity’s APP Privacy Policy about likely overseas disclosures

APPs 5.2(i) and (j) requiring reasonable steps to be taken to notify an individual or ensure awareness of certain matters about likely overseas disclosures, at or before the time an entity collects personal information

APP 6, which requires an entity to only use or disclose personal information it holds for the primary purpose for which it was collected or for a related (or in the case of sensitive information, directly related) secondary purpose that is within the individual’s reasonable expectation, unless an exception applies.

If an APP entity takes reasonable steps to comply with APP 8, can it still be held accountable under section 16C?

Yes. An APP entity may be liable for the acts or practices of the overseas recipient even when:

the entity has taken reasonable steps under APP 8.1 to ensure the overseas recipient does not breach the APPs, and the overseas recipient subsequently does an act or practice that would breach the APPs

the overseas recipient discloses the individual’s personal information to a subcontractor and the subcontractor breaches the APPs

the overseas recipient accidentally breaches the APPs in relation to the information.

When resolving matters brought to its attention under s 16C, the OAIC will take account of the reasonable steps taken by the entity to comply with APP 8.1.[1] The OAIC’s Privacy regulatory action policy outlines a range of other matters that the OAIC will take into account in deciding when to take privacy regulatory action, and what action to take.

What reasonable steps could an APP entity take to comply with APP 8.1?

It is generally expected that an APP entity will enter into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the APPs (other than APP 1), and that it will take steps to ensure compliance with those contractual arrangements.[2] See Chapter 8 of the APP guidelines for a discussion of the terms this contract may include.

However, the steps that are reasonable under APP 8 will depend on factors that include:

the sensitivity of the information

the possible adverse consequences for an individual if the information is mishandled

the entity’s relationship with the overseas recipient

existing technical and operational safeguards

the practicability of particular steps, including time and cost involved.

Where, having regard to the factors outlined above, it is not reasonable to enter an enforceable contractual arrangement requiring the overseas recipient to comply with all the APPs, an entity should consider what other steps might satisfy APP 8.1, with a view to minimising the risk that the personal information will be mishandled by the overseas recipient. Such steps should focus on ensuring compliance with those APPs assessed to be of greatest privacy risk in the circumstances, and might include:

enforceable contractual arrangements that specify:

the purpose/s for which the overseas recipient and any subcontractors are permitted to use or disclose the personal information — noting that APP 6 outlines when an APP entity may use or disclose personal information

the minimum technical and organisational measures that will apply to ensure the security of the personal information overseas — noting that APP 11 requires an APP entity to take active measures to ensure the security of personal information it holds. For examples of steps and strategies which may be reasonable for an entity to take to secure the information, see the Guide to securing personal information: ‘Reasonable steps’ to protect personal information

agreed procedures for providing access to personal information on request, and for making any necessary corrections — noting that APPs 12 and 13 require an APP entity to give access to, and correct, an individual’s personal information in certain circumstances

mechanisms that enable the APP entity to monitor compliance with these arrangements.

assessing whether terms of an enforceable contract with the overseas recipient require the recipient to handle personal information in a manner that is generally equivalent to the APPs.

ensuring non-contractual mechanisms are in place that minimise the risk that personal information will be mishandled by the overseas recipient, for example:

asking the recipient to provide the APP entity with any internal policies and procedures for handling personal information, such as privacy policies, information-security policies and data retention policies, and checking these provide for practices that are generally equivalent to the APP requirements. In making this assessment, entities should be aware that a recipient may be able to change the terms of these policies, procedures and systems without notifying, or seeking agreement, from the APP entity.

The OAIC recognises that there are complexities in negotiating such contractual terms, as well as in ensuring these kinds of organisational and technical measures are in place. However, the Privacy Act is clear about an APP entity’s accountability where an overseas recipient handles personal information in a way that would breach one or more APPs. The result may well be that an entity assesses some proposed overseas disclosures of personal information to be unwise. For example, an APP entity may decide, based on a risk assessment, not to send personal information to an overseas recipient because the risk that the overseas recipient will mishandle the information is not sufficiently mitigated. Similarly, an APP entity may decide against sending personal information to a particular overseas location based on its assessment that the privacy, reputational and commercial risks of doing so are considered too high.[3]

How does the Privacy Act apply where an APP entity ‘uses’ personal information overseas?

In most circumstances, providing personal information to an overseas recipient (including to a contractor located overseas to perform services on the entity’s behalf) is considered a ‘disclosure’, to which APP 8 and s 16C apply. However, in relatively limited circumstances, an APP entity might retain such a degree of control over the information that it is considered to be ‘using’ that information. For example, where an APP entity provides personal information to a cloud service provider located overseas, this may be a ‘use’ if the information is provided for the limited purpose of performing the services of storing and ensuring the entity may access the personal information, and a binding contract between the parties:

requires the provider only to handle the personal information for these limited purposes

requires any subcontractors to agree to the same obligations, and

gives the entity effective control of how the personal information is handled by the provider. Issues to consider include whether the entity retains the right or power to access, change or retrieve the personal information, who else will be able to access the personal information and for what purposes, what type of security measures will be used for the storage and management of the personal information (see also APP 11.1, Chapter 11 of the APP guidelines) and whether the personal information can be retrieved or permanently deleted by the entity when no longer required or at the end of the contract.

Whether or not other examples are considered a ‘use’ or a ‘disclosure’ will depend on the circumstances of each individual case, having regard to the degree of control held by the APP entity. However, the practical effect of distinguishing a ‘use’ from a ‘disclosure’ should not be overstated under the Privacy Act. An APP entity that sends personal information to an overseas recipient as a 'use', may still be held accountable for mishandling of that information by the overseas recipient, on the basis that it is considered to still 'hold' the information, even though the information is physically located overseas.

A number of APPs apply to an APP entity that ‘holds’ personal information (such as APPs 6, 11, 12 and 13). An entity ‘holds’ personal information ‘if the entity has possession or control of a record that contains the personal information’ (s 6(1)). This means that one entity can physically possess personal information that another entity controls. In such situations, both entities will ‘hold’ the information at the same time. If covered by the Privacy Act, each will have separate responsibilities in relation to handling that information under the Privacy Act. In the context where an APP entity sends personal information overseas, the APP entity that sends the personal information overseas may breach these APPs if the information is mishandled by the recipient. For example, the entity:

may be in breach of APP 6, which requires an entity to only use or disclose personal information it holds for the primary purpose for which it was collected (exceptions apply), if there is an unauthorised use or disclosure of the information

may be in breach of APP 11.1 if it has not taken reasonable steps to ensure the security of the information while it is in the overseas recipient’s physical possession

must comply with the requirements in APPs 12 and 13 relating to access and correction of personal information, even though the information is in the overseas recipient’s physical possession.

For further discussion of the meaning of ‘holds’, see Chapter B (Key Concepts) of the APP guidelines.

Does the Privacy Act prevent an APP entity from storing or processing personal information in the cloud overseas?[4]

Generally, no.[5] The Privacy Act does not prevent an APP entity from engaging a cloud service provider to store or process personal information overseas. The APP entity must comply with the APPs in sending personal information to the overseas cloud service provider, just as they need to for any other overseas outsourcing arrangement.

Footnotes

[2] An agency that discloses personal information to a recipient that is engaged as a contracted service provider must take contractual measures to ensure that a contracted service provider does not do an act, or engage in a practice, that would breach an APP if done by that agency (s 95B).

[3] Section 13D provides that ‘an act or practice of an organisation done or engaged in outside Australia and an external Territory is not an interference with the privacy of an individual if the act or practice is required by an applicable foreign law’. The effect of this provision is that where an overseas recipient of personal information does an act or practice that is required by an applicable foreign law, this will not breach the Privacy Act and the APP entity will not be held accountable. However, section 13D only applies where an overseas recipient has a legal obligation to handle personal information in a particular way, and not where the law only authorises the handling of the information in that way, or is unclear. In addition, an entity’s customers may have concerns about any unexpected disclosure of their personal information by the overseas recipient, particularly if this is made at the request of a foreign government.

[4] Cloud computing is a term used for delivering hosted services over the internet to remotely store, process and share digital data, Australian Communications and Media Authority, The Cloud – Services, Computing and Digital Data Emerging Issues in Media and Communications, p. 4, <www.acma.gov.au>

[5] However, part IIIA of the Privacy Act, which regulates credit reporting, includes some restrictions on sending information held in the Australian credit reporting system overseas, see OAIC Privacy Business Resource 3: Credit reporting – what has changed, available at www.oaic.gov.au. The Personally Controlled Electronic Health Records (PCEHR) Act 2012, which gives the Commissioner certain regulatory responsibilities in relation to the PCEHR system, prevents certain PCEHR operators and service providers from holding, taking, processing or handling records held for PCEHR purposes outside Australia, and from causing or permitting anyone else to do so.